RC4 is an insecure cryptographic stream cipher that is known to have multiple critical security flaws that render it essentially useless. RC4 was primarily used in the Wi-Fi security protocol WEP (wired equivalent protocol) and as a cipher in TLS ((Transport Layer Security) used in web security for HTTPS) before significant vulnerabilities were discovered in 2001 and 2013 respectively. The RC4 cipher was first designed in 1987 by Ron Rivest of RSA Security. The algorithm remains proprietary, although it was reverse-engineered and leaked in 1994, to avoid copyright claims the algorithm is sometimes also called ARC4 (Alleged Rivest Cipher 4).
Technipages Explains RC4
The implementation of RC4 in WEP was so flawed that is possible to break the 128-bit encryption key in less than a minute. At the time the attack was first demonstrated, there were no alternative protocols for WiFi security and the WPA standard that eventually superseded WEP had to be rushed to provide an alternative.
The RC4 cipher as used in TLS was one of the few contemporary ciphers not affected by the BEAST issue discovered in 2011 as it did not use a CBC (cipher block chaining) cipher. As SSLv3 and TLS1.0 only supported CBC and RC4 ciphers, RC4 was for a time recommended as a workaround until an attack against the RC4 cipher suites was identified in 2013. The TLS implementation of RC4 requires a significantly larger amount of processing power than the attack against WEP but it was considered feasible for government security agencies to be able to perform.
A large number of other attacks have shown statistical weaknesses in RC4 both before and since the two main vulnerabilities. In general, the use of RC4 should be avoided as more secure alternatives are now available.
Common Uses of RC4
- RC4 is a cryptographic stream cipher invented by Ron Rivest.
- The main factors in RC4’s success in a wide range of applications were its speed and simplicity.
- RFC 7465 prohibits the use of RC4 cipher suites in all versions of TLS.
Common Misuses of RC4
- RC4 is a hashing algorithm that should be used to securely store passwords in databases.